Backing up your GPOs (with and without PolicyPak Data): Don’t get burned
So many bad things can happen to your enterprise data.
Storage system failures, ransomware attacks, and fat finger deletes are just a few of the things that can wipe out critical data on which your organization depends. While most enterprises do implement a backup strategy to retain copies of their traditional data, Active Directory (AD) related data is ignored.
Do not to depend on AD replication as a backup strategy for your GPOs. If someone on your team accidently deletes a GPO, it will be deleted from the central store on all other DCs as well. Replication issues themselves may further complicate things. While AD replication provides redundancy in case a DC loses connectivity to the network, it does not serve as a backup strategy.
Additionally, even if you have a way to capture the full contents of AD data, sometimes AD backup and restore utilities do a poor job (or no job) of making it “point and click” easy restore when a Group Policy problem occurs.
Performing the Backup
Fortunately, backing up GPOs is simple and straight forward, whether you want to backup a single GPO or your entire collection. This goes for PolicyPak configured GPOs as well. The entire backup and restore process can be implemented using the Group Policy Management Console. The best way to see the complete list of a domain’s GPOs is to highlight the Group Policy Objects Container in the GPMC. To back up all of your GPOs in one process, simply:
- Highlight the container – right click and select “Backup All” from the context menu.
You can also backup any individual GPO:
- Highlight the designated GPO – right click and choose “Backup” from the context menu
- Next, highlight any GPO – right click and choose “Backup” from the context window, or click.
Of course, you will have to create a backup directory location to store the backup. Simply browse to the backup folder location and run the backup as is shown below. This methodology also works for GPOs with contain PolicyPak data.
Every time you create a new GPO or edit an existing one, you will need to implement a backup. For enterprises that have highly dynamic GPO environments that change consistently, there is a great PowerShell script that you can download to automate the process according to a regular schedule.
The script noted above has some bells and whistles. In the simplest case, you simply need a one-line PowerShell command.
Backup-GPO -Path c:\Temp -ALL
The results can be seen in below.
About the Restore
If you find that a particular GPO was deleted accidentally, you can simply highlight the Group Policy Objects Contain once again and select “Manage Backups.” Simply choose the GPO you previously backed up from the displayed list and choose “Restore” like what’s seen here.
You need to confirm the settings of a GPO first to make sure it is the one you want.
You could also use PowerShell to restore a GPO, but actually, that comes with some interesting (ahem, buggy) restore. Use the GUI in the GPMC to perform all restores: It’s way more reliable.
Additionally, those who utilize a Group Policy change management tool including Microsoft’s Advanced Group Policy Management (AGPM), NetIQ GPA, etc., have increased backup/restore functionality in that the AGPM backs up each subsequent change to a GPO. An AGPM Approver or AGPM Administrator can then perform a rollback operation to restore a prior GPO version. Deploying an earlier version of a GPO overwrites the version of the GPO currently in production.
An example of how do that can be seen here.
About Backup and Import (between domains)
Besides the ability to backup and restore one or more GPOs, GPMC also provides the ability to import policy settings from one GPO to another, even if they are in separate domains. To import to another domain, simply copy the backup directory to the new domain. Then, open up GPMC in the new domain and perform the following steps:
- Create a new GPO
- Right-click the new GPO and choose “Import Settings”
- Choose the backup folder you copied over
- Choose which GPO you wish to import
Note that when you import policy settings into a new domain, those settings may contain references to local domain items such as the domain name itself, users and groups, or a file path. These variables must be remapped, which you can do using the Migration Table Editor, located in the context menu of the Group Policy Objects container.
The GPMC export/import functionality only works with native policy settings. PolicyPak has its own export/import functionality for all of the settings that it supports. PolicyPak customers need only select the PolicyPak created GPO and choose edit. Then, navigate to the PolicyPak settings and select “Export settings to XMLData file.” You can then navigate to another GPO or create a new one and import the settings from that XMLData file. This process is illustrated in the image below.
First item is for all items EXCEPT PolicyPak Application Manager…. (so, like PolicyPak Browser Router)…
Then, for PolicyPak Application Manager, you should click into the item with the Options button, then specify Export XML Settings data like what’s seen here.
Just like your company documents or database application, your GPOs contain data, and like any data, it needs to be backed up on a routine basis. The absence of any backups means that you will have to recreate all the data lost inside one or all of your GPOs. Having good backups is essential for your everything in your GPO environment, including PolicyPak.